×
Government

DHS Steps In As Regulator for Medical Device Security 123

Posted by timothy from the handicapper-general dept.
mask.of.sanity writes "The Department of Homeland Security has taken charge of pushing medical device manufacturers to fix vulnerable medical software and devices after researchers popped yet another piece of hospital hardware. It comes after the agency pushed Philips to move to fix critical vulnerabilities found in its popular medical management platform that is used in a host of services including assisting surgeries and generating patient reports. To date, no agency has taken point on forcing the medical manufacturers to improve the information security profile of their products, with the FDA even dubbing such a risk unrealistic (PDF)."
Security

New Phishing Toolkit Uses Whitelisting To 'Bounce' Non-Victims 71

Posted by samzenpus from the on-to-the-next dept.
chicksdaddy writes "Researchers at RSA say that a new phishing toolkit allows attackers to put a velvet rope around scam web pages – bouncing all but the intended victims. The new toolkit, dubbed 'Bouncer,' was discovered in an analysis of attacks on financial institutions in South Africa, Australia and Malaysia in recent weeks. It allows attackers to generate a unique ID for each intended victim, then embed that in a URL that is sent to the victim. Outsiders attempting to access the phishing page are redirected to a '404 page not found' error message. Other phishing kits have used IP address blacklists to block anti malware companies from viewing their malicious pages, but this is the first known use of whitelisting, RSA said. The phishing attacks that RSA technicians discovered that used the Bouncer kit were designed to harvest login credentials from financial services firms. The whitelisting feature may well work, especially given the volume of potential phishing pages that security companies review each day. Getting a 404 message may be enough to get a forensic investigator or security researcher to move on to the next phishing site, rather than investigating."
Java

Another Java Exploit For Sale 150

Posted by samzenpus from the a-new-flavor dept.
tsamsoniw writes "Mere days after Oracle rolled out a fix for the latest Java zero-day vulnerabilities, an admin for an Underweb hacker forum put code for a purportedly new Java exploit up for sale for $5,000. Though unconfirmed, it's certainly plausible that the latest Java patch didn't do the job, based on an analysis by the OpenJDK community. Maybe it's high time for Oracle to fix Java to better protect both its enterprise customers and the millions of home users it picked up when it acquired Sun."
Security

Employee Outsourced Programming Job To China, Spent Days Websurfing 457

Posted by Soulskill from the working-hard-or-hardly-working dept.
New submitter kju writes "The security blog of Verizon has the story of an investigation into unauthorized VPN access from China which led to unexpected findings. Investigators found invoices from a Chinese contractor who had actually done the work of the employee, who spent the day watching cat videos and visiting eBay and Facebook. The man had Fedexed his RSA token to the contractor and paid only about 1/5th of his income for the contracting service. Because he provided clean code on time, he was noted in his performance reviews to be the best programmer in the building. According to the article, the man had similar scams running with other companies."
Power

Malware Infects US Power Facilities Through USB Drives 136

Posted by Soulskill from the under-your-thumbdrive dept.
angry tapir writes "Two U.S. power companies have reported infections of malware during the past three months, with the bad software apparently brought in through tainted USB drives, according to the U.S. Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). The publication (PDF) did not name the malware discovered. The tainted USB drive came in contact with a 'handful of machines' at the power generation facility and investigators found sophisticated malware on two engineering workstations critical to the operation of the control environment, ICS-CERT said."
Businesses

IT Job Market Recovering Faster Now Than After Dot-com Bubble Burst 242

Posted by Soulskill from the certainly-caused-by-your-political-party's-fine-efforts dept.
tsamsoniw writes "More new tech jobs have emerged since the end of the past recession than during the same recovery timelines following the dot-com bubble burst and the early-1990s recession. What's more, the unemployment rate among technology professionals is now half that of the national average — with especially low unemployment rates for database administrators and network architects. What's not clear, though, is how many unemployed techies aren't being counted because they've abandoned job searches."
Medicine

Course Asks University Students To Tackle Medical Device Insecurity 38

Posted by Soulskill from the putting-your-pacemaker-through-its-paces dept.
chicksdaddy writes "The University of Michigan will be among the first to offer graduate students the opportunity to study the security of advanced medical devices. The course, EECS 598-008 'Medical Device Security' will teach graduate students in UMich's Electrical Engineering and Computer Science program 'the engineering concepts and skills for creating more trustworthy software-based medical devices ranging from pacemakers to radiation planning software to mobile medical apps.' The new course comes amid rapid change in the market for sophisticated medical devices like insulin pumps, respirators and monitoring stations, which increasingly run on versions of the same operating systems that power desktops and servers. In 2011, the U.S. Food and Drug Administration reported that software failures were the root cause of a quarter of all medical device recalls (PDF)."
Bug

Bug Sends Lost-Phone Seekers To Same Wrong Address 298

Posted by timothy from the geo-magnetic-personality dept.
netbuzz writes "A mysterious GPS-tracking glitch has brought a parade of lost-phone seekers — and police officers — to the front door of a single beleaguered homeowner in Las Vegas. Each of the unexpected visitors – Sprint customers all — has arrived absolutely convinced that the man has their phone. Not so, police confirm. The same thing happened in New Orleans in 2011 and Sprint got sued. Says the Las Vegas man: 'It's very difficult to say, 'I don't have your phone,' in any other way other than, 'I don't have your phone.''"
IT

New Data Center Modeled After a Space Station 50

Posted by Unknown Lamer from the martian-it-certification-class dept.
1sockchuck writes "Jon Karlung believes that data centers shouldn't just be cool – they should look cool, too. His latest approach to futuristic IT is a modular data center designed to look like a space station. Karlung, the CEO of Sweden's Bahnhof, previously built a stylish data center in a former nuclear bunker beneath Stockholm featuring a waterfall, which has been compared to the lair of a James Bond villain. Karlung's new design features IT modules built from bullet-proof steel that attach to an inflatable dome for staff. 'Containers are ugly,' Karlung says. 'I think design is too often neglected in our field of business.'"
Networking

Remote Linksys 0-Day Root Exploit Uncovered 133

Posted by samzenpus from the protect-ya-neck dept.
Orome1 writes "DefenseCode researchers have uncovered a remote root access vulnerability in the default installation of Linksys routers. They contacted Cisco and shared a detailed vulnerability description along with the PoC exploit for the vulnerability. Cisco claimed that the vulnerability was already fixed in the latest firmware release, which turned out to be incorrect. The latest Linksys firmware (4.30.14) and all previous versions are still vulnerable."
Bug

Security Expert Says Java Vulnerability Could Take Years To Fix, Despite Patch 320

Posted by samzenpus from the long-road-coming dept.
An anonymous reader writes "After the Department of Homeland Security's US-CERT warned users to disable Java to stop hackers from taking control of users' machines, Oracle issued an emergency patch on Sunday. However, HD Moore, chief security officer of Rapid7, said it could take two years for Oracle to fix all the security flaws in the version of Java used to surf the web; that timeframe doesn't count any additional Java exploits discovered in the future. 'The safest thing to do at this point is just assume that Java is always going to be vulnerable,' Moore said."
Security

"Red October" Espionage Malware Campaign Uncovered 53

Posted by samzenpus from the protect-ya-neck dept.
L3sPau1 writes "For five years, it hid in the weeds of networks used by Eastern European diplomats, government employees and scientific research organizations, stealing data and infecting more machines in an espionage campaign rivaling Flame and others of its ilk. The campaign, called Rocra or Red October by researchers at Kaspersky Lab, focused not only on workstations, but mobile devices and networking gear to gain a foothold inside strategic organizations. Once inside, attackers pivoted internally and stole everything from files on desktops, smartphones and FTP servers, to email databases using exploits developed in Chinese and Russian malware, Kaspersky researchers said."
Java

Oracle Ships Java 7 Update 11 With Vulnerability Fixes 243

Posted by samzenpus from the try-it-now dept.
An anonymous reader writes "After announcing a fix was coming just yesterday, Oracle on Sunday released Java 7 Update 11 to address the recently disclosed security vulnerability. If you use Java, you can download the latest update now from the Java Control Panel or directly from Oracle's website here: Java SE 7u11. In the release notes for this update, Oracle notes this version "contains fixes for security vulnerabilities." A closer look at Oracle Security Alert for CVE-2013-0422 details that Update 11 fixes two vulnerabilities."
Australia

Australian Spy Agency Seeks Permission To Hack Third-Party Computers 210

Posted by Soulskill from the you-are-doing-it-wrong dept.
New submitter LordLucless writes "ASIO, Australia's spy agency, is pushing for the ability to lawfully hijack peoples' computers — even if they are not under suspicion of any crime. They seek the ability to gain access to a third party's computer in order to facilitate gaining access to the real target — essentially using any person's personal computer as a proxy for their hacking attempts. The current legislation prohibits any action by ASIO that, among other things, interferes with a person's legitimate use of their computer. Conceivably, over-turning this restriction would give ASIO the ability to build their own bot-net of compromised machines. Perhaps inevitably, they say these changes are required to help them catch terrorists."
Open Source

Who Controls Vert.x: Red Hat, VMware, Neither? 118

Posted by Soulskill from the reply-hazy-try-again dept.
snydeq writes "Simon Phipps sheds light on a fight for control over Vert.x, an open source project for scalable Web development that 'seems immunized to corporate control.' 'Vert.x is an asynchronous, event-driven open source framework running on the JVM. It supports the most popular Web programming languages, including Java, JavaScript, Groovy, Ruby, and Python. It's getting lots of attention, though not necessarily for the right reasons. A developer by the name of Tim Fox, who worked at VMware until recently, led the Vert.x project — before VMware's lawyers forced him to hand over the Vert.x domain, blog, and Google Group. Ironically, the publicity around this action has helped introduce a great technology with an important future to the world. The dustup also illustrates how corporate politics works in the age of open source: As corporate giants grasp for control, community foresight ensures the open development of innovative technology carries on.'"
Botnet

Alleged ZeuS Botmaster Arrested For Stealing $100M From US Banks 76

Posted by timothy from the stumbling-block-on-the-career-path dept.
Trailrunner7 writes "A 24-year-old Algerian man remains in a Thai jail awaiting extradition to the United States, where he is suspected of masterminding more than $100 million in global bank heists using the ZeuS and SpyEye Trojans. Malaysian authorities believe they've apprehended the hacker Hamza Bendelladj, who they say has been jetsetting around the world using millions of dollars stolen online from various banks. He was arrested at a Bangkok airport en route from Malaysia to Egypt. The hacker had developed a considerable reputation as a major operator of ZeuS-powered botnets and bragged about his exploits"
Firefox

Apple and Mozilla Block Vulnerable Java Plug-ins 88

Posted by Soulskill from the no-dogs-allowed dept.
hypnosec writes "Following news that a Java 0-day has been rolled into exploit kits, without any patch to fix the vulnerability, Mozilla and Apple have blocked the latest versions of Java on Firefox and Mac OS X respectively. Mozilla has taken steps to protect its user base from the yet-unpatched vulnerability. Mozilla has added to its Firefox add-on block-list: Java 7 Update 10, Java 7 Update 9, Java 6 Update 38 and Java 6 Update 37. Similar steps have also been taken by Apple; it has updated its anti-malware system to only allow version 1.7.10.19 or higher, thereby automatically blocking the vulnerable version, 1.7.10.18." Here are some ways to disable Java, if you're not sure how.
Security

Anonymous Files Petition To Make DDoS Legal Form of Protest 323

Posted by samzenpus from the let-us-break-stuff dept.
hypnosec writes "Anonymous has filed a petition with the U.S. Government asking the Obama administration to make Distributed Denial of Service (DDoS) attacks a legal form of protest. Anonymous has argued that because of advancements in internet technology, there is a need for new ways of protest. The hacking collective doesn't consider DDoS as a form of attack and equates it to hitting the 'refresh' button on a webpage. Comparing these attacks to the 'occupy' protests, Anonymous notes that instead of people occupying an area, it is their computers occupying a website for a particular period of time."
Security

Thousands of SCADA Devices Discovered On the Open Internet 141

Posted by Unknown Lamer from the easier-that-way dept.
Trailrunner7 writes with news of the continuing poor state of security for industrial control systems. From the article: "Never underestimate what you can do with a healthy list of advanced operator search terms and a beer budget. That's mostly what comprises the arsenal of two critical infrastructure protection specialists who have spent close to nine months trying to paint a picture of the number of Internet-facing devices linked to critical infrastructure in the United States. It's not a pretty picture. The duo ... have with some help from the Department of Homeland Security (PDF) pared down an initial list of 500,000 devices to 7,200, many of which contain online login interfaces with little more than a default password standing between an attacker and potential havoc. DHS has done outreach to the affected asset owners, yet these tides turn slowly and progress has been slow in remedying many of those weaknesses. ...The pair found not only devices used for critical infrastructure such as energy, water and other utilities, but also SCADA devices for HVAC systems, building automation control systems, large mining trucks, traffic control systems, red-light cameras and even crematoriums."
Crime

Java Zero-Day Vulnerability Rolled Into Exploit Packs 193

Posted by Unknown Lamer from the just-can't-win dept.
tsu doh nimh writes "The miscreants who maintain Blackhole and Nuclear Pack — competing crimeware products that are made to be stitched into hacked sites and use browser flaws to foist malware — say they've added a brand new exploit that attacks a previously unknown and currently unpatched security hole in Java. The curator of Blackhole, a miscreant who uses the nickname 'Paunch,' announced yesterday on several Underweb forums that the Java zero-day was a 'New Year's Gift,' to customers who use his exploit kit. The exploit has since been verified to work on all Java 7 versions by AlienVault Labs. The news comes days after it was revealed that Paunch was reserving his best exploits for a more closely-held exploit pack called Cool Exploit Kit, a license for which costs $10,000 per month."

Slashdot Top Deals